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We re-examine the challenges concerning causality in the semantics of Esterel and show that they per- 
tain to the known issues in the semantics of Structured Operational Semantics with negative premises. 
We show that the solutions offered for the semantics of SOS also provide answers to the semantic 
challenges of Esterel and that they satisfy the intuitive requirements set by the language designers. 

1 Introduction 

Esterel [Ber99, PBEB07 ] is an imperative synchronous language used for the specification and program- 
ming of embedded systems. Esterel is based on the synchronous hypothesis, i.e., instantaneous reaction 
to signals and immediate propagation of signals in each time-instant. The combination of the imperative 
programming style and the synchronous hypothesis in Esterel has led to semantic challenges addressed 
in the literature HBG921 |Ber99l ITinOOl ITMTH |TdS051 |PB02| . In this paper, we present the main semantic 
challenge posed by Esterel, namely, the issue of causality. We show that it is reminiscent of the semantic 
challenges MGro93 1 |BG96l IGla04H in Structured Operational Semantics HAFV01H (esp. in the setting with 
negative premises; the same challenges were encountered before in logic programming [AB94]). We 
then show that using the known solutions for the latter simplifies the presentation of the semantics of the 
former substantially and leads to the desired intuitive properties set forth by the language designers. 

The rest of this paper is organized as follows. In Section[2j we present a brief overview of the Esterel 
language and its intuitive semantics. Section |3]introduces Structured Operational Semantics and notions 
of semantics and well-definedness associated with SOS specifications. Section [4] connects these two 
worlds by first presenting an SOS specification for Esterel and then studying the notions of semantics 
and well-definedness for the given specification. There, we show that certain notions of semantics for 
SOS formalize the intuitive criteria given by the language designers. Section [5] concludes the paper and 
presents directions for future research. 

2 Esterel and Its Semantics: A Cook's Tour 

The abstract syntax of Esterel is given by the grammar in Figure [T] 

A short introduction to the intuitive semantics of each of these constructs follows. In this grammar, 
stands for the terminated process. Emitting signal s is denoted by emit s, which is instantaneously 

p,q ::= | emit s | pres s ? p o q end | 
p ; q | p | | q | sign s in p end | 

1 | susp p when s | trap t in p end | exit t | loop p end 
Figure 1 : The Abstract Syntax of Esterel 
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visible to all parts of the system (and may in turn cause more signals to be emitted). Reacting to present 
and absent signals is done via the if-then-else construct pres s ? p o q end, where if s is currently 
present (emitted by some other part of the system), p is executed, otherwise if s is absent q is executed. 
The combination of synchronous assumption, i.e., instantaneous propagation of signals, and checking 
for absence/presence of signals leads to semantic complications, presented shortly. Parallel composition 
of p and q is denoted by p \ \ q. Process sign s in p end encapsulates s in p, i.e., declares s local to 
p. Another way of reacting to signals is by using the suspend construct susp p when s, which initially 
acts as p, but after one synchronous round will stop p as soon as signal s is emitted (suspension may 
happen after a number of rounds). Process 1 stands for a process that passes one unit of time and then 
terminates. One can define traps (exit points, exception handlers) to which a program can jump to by 
trap t in p end. The actual jump (raising the exception) is performed by executing exit t. A program 
can engage in a loop by means of loop p end (it can either keep on executing in the loop or exit the loop 
using exit t). 

An Esterel program is usually suffixed by a header declaring input and output signals. The syntax of 
this header is of the form input i; output o; and we assume that the set of input and output variables in 
a program is disjoint from the set of its local signals. Moreover, to unclutter the syntax, we assume fixed 
sets t, CO and A, respectively, of input, output and local variables. We pick typical members i,i',io, ...61, 
o,o',oq, ... G CO and s,s',sq 6 A. This way, one does not need to consider the input and out declaration 
anymore since input and output (and local) variables are recognized by their names. In some cases output 
and local variables can be treated uniformly, in which case we denote them by x,x' ,xq G CO U A. 

To study the semantic challenge concerning causality it suffices for us to look at the first two rows of 
our grammar. The other constructs, e.g., traps and time passing, are semantically interesting on their own 
but are treated satisfactorily in the literature and are orthogonal to the causality problems addressed here. 
Hence, in the remainder, we focus on the subset of Esterel given in the first two lines of our grammar and 
only in passing mention how to include time and traps in our presented semantics. 

A causality relation between events s and s' (signals in this case), means that the presence and ab- 
sence of s directly influences the presence or absence of s'. For example, consider the following Esterel 
program: 

PO pres i ? emit s o end ; pres s ? o emit o end 

In the above program, there is a causality chain starting from the input variable i to the local variable s 
and from s to the output variable o, namely the presence of i determines the presence of s and eventually 
leads to the absence of o, while the absence of s (caused by the absence of i), determines the presence of 
o. Using the syntax of Esterel one can easily write programs with cyclic dependencies (e.g., s is present 
if and only if s is present) or even worse, cyclic dependencies of a paradoxical nature (e.g., s is present 
if and only if s is absent). To illustrate these issues in Esterel, consider the following simple programs, 
which are all due to |Ber99ll . These programs are canonical examples of different issues concerning 
causality in Esterel programs. 

PI pres s ? emit s o end 

Program PI relies on the presence of s in order to emit signal s. The logical semantics of Esterel 
rejects this program on the ground that it has two "models". The first one is by assuming that 
s is present, which leads to a justification of this assumption by emitting s. The other one is by 
assuming that s is absent, which is supported by that does not emit (denies emitting) signal s. 
In each synchronous round, the "model" of an Esterel program is defined by a global status, which 
defines the status (presence/absence) of signals in this round. A global status of a program is called 
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coherent when the presence/absence of signals are determined consistently by the emit statements 
in the program [Ber99 |: 

The global status of a program is logically coherent iff at least one emit statement is 
executed for each signal assumed present and no emit statement is executed for each 
signal assumed absent. 

For example, program PI has two logically coherent global statuses, namely presence of s and ab- 
sence of s, as motivated above. The basis for rejecting program PI is called "logical determinism" 
and is defined as follows [Ber99 |. 

A program is logically deterministic if it has at most one logically coherent global 
status. 

P2 pres s ? o emit s end 

Program P2 relies on the absence of s in order to emit signal s. According to the logical semantics 
of Esterel, the above-given program has no logically coherent global status. Assuming that s is 
absent leads to s being emitted and hence, incoherency. Likewise, assuming that s is present 
requires emission of s, which is only justified when s is absent. 

The basis for rejecting program P2 is called "logical reactivity" and is defined as follows [Ber99|. 

A program is logically reactive if it has at least one logically coherent global status. 

The conjunction of logical determinism and logical reactivity is called logical coherency and is the 
main well-definedness criterion for the logical semantics of Esterel. 

P3 pres s ? emit s o emit s end 

The program above has only one logically coherent global status, namely that s is present. This 
global status is also coherent since assuming the presence of s leads to emitting it and moreover, it 
is not logically coherent to assume the absence of s, because it leads to its emission. Hence, as far 
as logical coherency is concerned this program is accepted and the logical semantics defines the 
semantics sketched above for this program. 

However, the semantics of Esterel used for its compiler, called the constructive semantics [Ber99, 
PBEB07], has further constraints which lead to the rejection of the above program. In this paper, 
we consider the issue of causality in both variants of the semantics and hence, also study the issue 
of constructiveness defined below. 

A program is constructive, if for each signal, it either proves its presence (must emit 
the signal) or proves its absence (cannot emit it). 

Program P3 is rejected by the above criterion since it can neither prove the emission of s (its only 
possible proof is cyclic since relies on the assumption that s is emitted), nor can it coherently prove 
its absence, since to prove the absence of s it should prove that neither of the two emit statements 
can be executed, thus it should prove that s can neither be present nor absent. 

P4 pres So ? emit So o end | | 

pres So ? pres Si ? o emit Si end o end 

Note that P4 is logically coherent, since its only logically coherent global status is that both sq and 
s\ are absent. To check its constructiveness, let us focus on the emission of sq. It definitely does 
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not have to emit sq, since the only reason for emitting sq is the emit so statement in the left-hand 
side of the parallel composition, which is guarded by the check on the presence of so- Hence, the 
only proof for emitting so is cyclic. But it can potentially emit so (because it contains an emit so 
statement) and the only way to make sure that sq cannot be emitted is to prove that the guard for 
emit so never becomes true, i.e., we need again to show that sq cannot be emitted, which is also a 
cyclic reasoning. Hence, we conclude that P4 is not constructive because it neither must emit so, 
nor it can deny its emission. 

P5 pres So ? emit Si o end ; emit so 

The above program is logically coherent and its unique logically coherent global status is that 
both so and s\ are present. However, it is again rejected by the constructive semantics of Esterel. 
The reason is that in order to reach the emit statement for so, we should first make sure that the 
first statement has a well-defined semantics in this context, i.e., it either takes the if branch or the 
else branch and then terminates. However, giving a constructive proof for the transition of the 
conditional requires a constructive proof for the emission of so- This is another instance of the 
cyclic proof phenomenon rejected by the constructive semantics. 

3 Structured Operational Semantics 

Structural Operational Semantics (SOS) was originally proposed by Plotkin [PloQH as a syntax-directed 
and compositional way of defining semantics. Gradually, SOS has gained popularity and by now has 
become a de facto standard in defining operational semantics. This popularity has called for a richer 
syntax for SOS deduction rules and thus, in some applications, SOS deduction rules lost their structural, 
i.e., inductive, nature. Some authors then decided to use the same acronym for Structured Operational 
Semantics MAFA^011|GV 921. With the richer syntax of SOS rules, one can write deduction rules whose 
meaning is not clear any more. 

Example 1 Examples of cyclic rules are the deduction rules (rl) and (r2) given below. 

s s 

p — >p p-» 

(rl)— (r2)^— 
P — >P P — >P 

The reader may already note the curious similarity between program PI and deduction rule (rl) on 
one hand and program P2 and deduction rule (r2) on the other hand. Moreover, program P3 resembles 
the combination of (rl) and (r2). These similarities materialize as formal definitions in the remainder 
of this paper. 

To formalize the syntax and semantics of SOS, we first formalize the concepts of formulae and 
(transition) formulae. 

Definition 2 (Signature and (sub)terms) We let V represent an infinite set of variables. A signature E 
is a set of function symbols (operators), each with a fixed arity. An operator with arity zero is called a 
constant. We define the set T(£) of terms over £ as the smallest set satisfying the following constraints. 

• A variable x £V is a term. 

• Iff E £ has arity n and t\,...,t n are terms, then f(t\ ,...,/„) is a term. 
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We write t\ = t% if t\ and ti are syntactically equal. The function vars : T(E) — > 2 V gives the set of 
variables appearing in a term. The set C(£) C T(Z) is the set of closed terms, i.e., terms that contain 
no variables. A substitution o is a function of type V — > T(Z). We extend the domain of substitutions to 
terms homomorphically. If the range of a substitution lies in C(£), we say that it is a closing substitution. 

A term s is considered a subterm of itself; if s is a subterm of tj, then s is also a subterm of 
f(to, ,/„_i), for each s,tj G T(£), < i < n, and n-ary f G E. The set of subterms of a term 
t are denoted by subterms{t). 

Next, we formalize the syntax of SOS in terms of Transition System Specifications. 

Definition 3 (Transition System Specifications (TSS)) A transition system specification is a triplet 
(L,L,D) where 

• £ is a signature. 

• L is a set of labels. IflGL, and t,t' G T(Z) we say that t — is a positive formula andt -/» (also 

denoted by ->t — ) and t-bt' are negative formulae. A formula, typically denoted by 0, \jf, 0', 0,-, 
. . . is either a negative formula or a positive one. 

• D is a set of deduction rules, i.e., tuples of the form ( < I > ,0) where <£> is a set of formulae and 
is a positive formula. We call the formulae contained in <I> the premises of the rule and the 
conclusion. 

We write vars(r) to denote the set of variables appearing in a deduction rule (r). We say a formula is 
closed if all of its terms are closed. Substitutions are also extended to formulae and sets of formulae in 
the natural way. 

A deduction rule (<£,</>) is typically written as $. For a deduction rule r, we write concir) to denote 
its conclusion and prem(r) to denote its premises. A set of positive closed formulae is called a transition 
relation. Given a transition relation T , //-labeled transitions of closed term p, denoted by T \. (p,L r ) is 
the subset of T containing all formulae in T that have p as their source and some / G L' as their label. A 
TSS is supposed to define a transition relation but for the TSSs such as those given by deduction rules 
(rO) and (rl), it is not clear what the associated transition relation is. Several proposals are given in the 
literature, of which [Gla04] gives a comprehensive overview and comparison. In this paper, we shall use 
some of these proposals to define the semantics of Esterel. In order to facilitate the presentation of these 
proposals, we need two auxiliary definitions, namely contradiction and contingency, which are given 
below. 

Definition 4 (Contradiction and Consistency) Formula t —} t' is said to contradict both t and t t', 
and vice versa. <I> is consistent w.r.t. x ¥, denoted by <I> 1= when for each positive formula G it 
holds that \jf G and for each negative formula \jf G there is no G such that contradicts y. 

In the remainder, we only use negative formulae of the form t -/» in our specifications. We now have 
all the necessary ingredients to present different proposals for the semantics of TSSs. The first proposal 
is the following notion of supported model, which is a slight modification of the definition in [Gla04] 
(restricting it to particular sets of terms and labels). 

Definition 5 (Supported Model) Given A TSS, a transition relation T is a supported model for a set 
PC C(Z) of closed terms and a set L' C L of labels, when 

i 

1. for each q,q' G T(£) and 1 G L if q — >q' G T, then there exists a deduction rule — and a substi- 

<p 

tution o such that a(0) = q — >q' and T 1= <E>, and 
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2. for each p £ P and I £ L', p £ T(£), if there exists a deduction rule — and a substitution G such 

that ct(0) = — >• p' and T (= <!>, p — >• /?' £ 7\ 
A transition relation T is a supported model for a TSS when it is a supported model for C(E) a?i<i L. 

Note that in the above definition and throughout the rest of the paper, we only consider the "imme- 
diate transitions" of p as its semantics. One can adapt the above definitions (and the subsequent ones) to 
consider the "transition system" associated with p as its semantics. For the subset of Esterel considered 
in this paper, these two notions lead to the same conclusion concerning the well-definedness and the 
semantics of a program. 

Semantics 1 (Unique Supported Model Semantics) Given a set P £ C(E) of closed terms and a set 
U C L of labels a TSS is meaningful w.r.t. P and L' when it has a unique supported model for P and 
L! ; the transition system associated with P and L' is the unique supported model for P and L'. A TSS 
is meaningful when it has a unique supported model; the transition relation associated with a TSS is its 
unique supported model. 

To illustrate these concepts, we give a few simple TSSs and study their supported models. 

Example 6 Consider the deduction rules given in Example^ 

Consider the TSS comprising only deduction rule (rl). This TSS is not meaningful (w.r.t. {p} and 
{s} ) according to Semantics^because it has two supported models, namely and {p — *-t p}. 

Also according to Semantics^ the TSS comprising only deduction rule (r2) is not meaningful (w.r.t. 
{p} and {s}) either, because it has no supported model. Particularly, T = is not a supported model 
because it follows from the right-to-left implication of Definition^that p-^-p £ T. T = {p—t-p} is 
not a supported model either since the only deduction rule providing a reason for p p £ T is (r2) but 
it does not hold that T t= pO 

The TSS comprising both (rl) and (r2) is indeed meaningful and its associated transition relation is 
T = {p — > p}. Transition relation T is indeed a supported model since (rl) now provides a reason for 
p — > p £ T . Moreover T' = is not a supported model for this TSS because it then follows from (rl) 
and the right-to-left implication of Semantics^that p — s —> p £ T . 

If one takes the transition system of a program as a formalization of its global state, then the TSS 
comprising of deduction rule (rl) is rejected because it has no coherent global state and the TSS with 
only (r2) is rejected because it does equivocally define a coherent global state. 

This suggests that Semantic s[T]provides a suitable formalization for logical coherency. Next, we give 
a formalization of constructiveness in terms of supported proofs and denials. 

Definition 7 (Supported Proofs) A TSS 2? provides a supported proof for a formula (f>, denoted by 
2? \~ s (j), when there is a well-founded upwardly branching tree with formulae as nodes and of which 

• the root is labelled by 0; 

• if a node is labelled by a positive formula y and the nodes above it form the set K then ^ is an 
instance of a deduction rule in 2? . 

• if a node is labelled by a negative formula \ff, and the nodes above it form the set K, then for each 
instance of a deduction rule -j- in 2? such that l//, contradicts \y, there exists a formula x/j £ K 
contradicting a formula in Kj. 
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Semantics 2 (S-Complete Semantics) A TSS is s-complete for a set of closed terms P when for each 
formula with a p € P as its source, either or a formula contradicting it has a supported proof. A TSS 
is s-complete when it is s-complete for the set C(£) of all closed terms and its transition relation is the 
set of positive formulae, for which it provides supported proofs. 

The following theorem is taken from HGla04H . which shows that constructiveness is indeed stronger 
than logical coherency. 

Theorem 8 A program (TSS) is s-complete only if it is meaningful according to Semantics [7] (has a 
unique supported model) and its associated transition system (unique supported model) coincides with 
the set of all positive formulae with a supported proof. 

Another useful property of supported proofs is their consistency IGla041 . stated below. 

Theorem 9 The notion of supported proof is consistent, i.e., for each formula (j) with a supported proof, 
its negation does not have a supported proof. 

Next, we re-examine the TSS of Example [6] using our new notion of semantics. 

Example 10 The two TSSs comprising only (rl) and only (r2) are both rejected by Semantics y\ as 
well, since neither p — > p, nor p -» can be proven from either of them. (This is also an immediate 
consequence of Theorem^) 

In the case of the TSS comprising only (rl), any attempt to build a supported proof for p — p has 
the same formula as its premise. Moreover, p-& cannot be proven because its proof tree should prove a 
negation of a premise of (rl), i.e., again p-&. In other words, both p — >p and p-r> only have cyclic, 
and thus unsupported, proofs. 

Similarly, in the case of the TSS comprising only (r2), neither p — p, nor p 4> have a supported 
proof. 

Consider the TSS comprising both (rl) and {rl); it does have a unique supported model T = 
{p—^p} but it is not s-complete and is thus rejected by Semantics^ Any proof for p—^-p or its 
negation leads to a cycle, i.e., repeating the node below in the node above, and are thus not supported. 

Again drawing an analogy with Esterel programs, Semantics [2] requires the existence of a "con- 
structive" (supported) proof for presence/absence of signals and thus rejects a program which uses both 
possibilities for a signal in order to establish its own presence. 

4 Structured Operational Semantics for Esterel 

Our semantic specification of Esterel is presented in Figures [2] and [3] The state of the SOS comprises the 
syntax of the program currently being executed (defined by the grammar in Figure [TJ. The semantics is 
supposed to define two predicate, p/ / )C , p t /,cv \ respectively, where the former means that p terminates 
with input evaluation / and under context c (if p is part of program c), and the latter means that p emits 
signal s (in the present time-instant) under the same assumptions. (A predicate formula can be formally 
interpreted as a transition formula with a dummy right-hand-side; in our case one can take to be the 
dummy target of all predicate formulae, i.e., read p Y ,c,s and p/ i )C as p Y ,c,s and p/ / )C 0, respectively.) 
In addition to the two predicates, the semantics is supposed to define a transition relation of the form 

p ^4 p', which denotes that program p emits signal s under input evaluation / and context c. Next, we 
briefly describe the deduction rules in Figures [2] and [3] and then show how they formalize the intuitive 
properties of Esterel programs discussed before. In all labels (of predicates and transitions) of Figures [2] 
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( e0 ) .. ( s °)— T77T (s!)— T77^- ( s2 



emit x t 7 ' c ' x p ; q Y ,c,x P > q Y ,c,x P > 1 Y' c,x 

(pO) P 1 , (pi) ql , (fO) ^ ^ =— (fl)- " 1 



p I I q t 7 ' c '" v P I I q Y' c ' x pres s ? poq end t 7 '" pres s? poq end t 7 ^'* 

/+ € / p t 7 ^^ r El q t 7 ' c - v 

O O) 



pres i ? p o q end t 7 ' c,;,: pres i? p o q end t 7 ' c,;l 

(enO)^ : -777071 s fresh in p and r 

sign j m p end | ' ' 1 ' 1 

Figure 2: Structured Operational Semantics for Esterel (Part I: Signal Emission) 

and[5J / C {i + ,t~ \ i E 1} such that for each i G l, either i~~ G / or i + G 1 (but not both), c 6 C(£), / G I, 
iGfflUA and € A. 

In Figure|2| (eO) states that emit s can emit signal s under any arbitrary input evaluation and context. 
Deduction rules (sO), (si) and (s2) describe when a sequential composition emits a signal, namely, when 
either the first component of the composition emits it, or when the first component terminates (possibly 
after a transition) and the second component emits the signal. 

The notions of termination and transition are defined in Figure [3] A parallel composition emits a 
signal if one of its components emits the signal, which is captured by deduction rules (pO) and (pi). 
An if-then-else constructs emits a signal, if either, according to deduction rule (fO), the local signal in 
its condition is emitted and the if-branch emits the signal or, according to deduction rule (fl), the local 
signal in the condition cannot be emitted and the else-branch is taken. Deduction rules (f2) and (f3) take 
care of the case where the condition is an input signal. In such cases, the condition is checked against 
the given input evaluation. A program p with a local signal s can emit a signal s' , if p with a fresh signal 
s" substituted for s can emit s' (but if s' is s, then p should be able to emit s"). 

In Figure [3j the concept of termination is defined through the predicate / / c , in a straightforward 
manner. Exceptions are deduction rules (if4) and (if5), which rely on (the impossibility of) the emission 
of the condition signal for proving termination. In Figure [3] the deduction rules specifying a transition 
relation are almost identical to their counterparts in Figure [2] The most notable exceptions are deduction 
rules (seqO) to (seq4) and (parO) to (par3), which should consider all possible combinations of simul- 
taneous transitions and individual transitions with (non-)termination in order to record the right target for 
the transition. 

One advantage of our approach to the semantics of Esterel presented in [Ber99, TinOdl lTTnOlll is that 
we can capture both the logical semantics and constructive semantics of Esterel using the same TSS (by 
using two generic notions of semantics for TSS already known in the literature). Another advantage is 
that it establishes a clear link between, respectively, the logical and the constructive approaches to Esterel 
semantics, on the one hand and the model- and proof-theoretic semantics of TSSs on the other hand. 

Definition 11 (Logical Semantics of Esterel) An Esterel program p is logically coherent if the above 
given TSS is meaningful according to Semantics [i]/or subterms(p) and (predicates and) transitions 

labeled {/ i, P ,Y ,p,x , -^>}. The semantics of p is the set of above-mentioned predicates and transitions 
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emit x^4o 



(seqO) J 



/,c,x , , . I.cx' . 

— >p p/i, c q—^q 



p ; q- 



I,c,x 



(seql) 



Lc,x . . . I,c,x' , 

p—^p p / i.c q — >q 

P ; q — >q 



/ I? c ?* / Ii C )X ft/ / 



P ; q — >q 



I,C,X , 

P ; q — >P 



(seq4) 



p/ i, c qS i,c 

P ; qS i,c 



(parO) 



I,c,x 

p — >p' q 



P I I <?^V I I 4 



I,c,x 

q' i r ,p — >p' q 

(pari) 



(par2) ,/, C q->q (par3) ^ «l 



p I I q'Mp' | | q' 

p/ i, c qS i,c 



(ifO) 



p I I q — >q 

cf' c ' s p^p' 
pres s? p o q end — )■ p 



Lc,x 



(par4) - 



P \ \ qS i,c 

Lex 



(HI) 



/ C Jt 

pres s ? p o q end^></ 



(H2) 



pres 1? po q end — >■ /? 



(to) ? £/ ^ 

pres 1? p o q end — >■ g 



(if4) 
(if6) 



c f' c ' s p/ /,, 



(encO) 



pres s ? p o q end/ / ]( 

r £ / /?/ / iC 
pres i? po q end/ / ;( 



(fSS) 



C f' C ' S ^/ /,c 



pres s ? p o q end/ / )C 



(in) 



i+ G / 4/ 



7,c 



pres i? p o q end/ / )C 



sign i inp end '-^4 ' sign 5 in p'[s/s"} end 



(encl) 



sign s in p end/ / )( 



s" fresh in p and r 



Figure 3: Structured Operational Semantics for Esterel (Part II: Transition and Termination) 
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Next, we show that Definition 11 indeed satisfies the intuition behind logical coherency by re- 
examining the examples introduced in Section [2] 

Example 12 Consider program PO, recalled below. 

PO pres i ? emit s o end ; pres s ? Oo emito end 

It is straightforward to check that the following is the semantics ofPO: 

{ P0 t ^\ POUnSO*, P0m° J 0, P0 {r H°'°0, emits^O, emit s^ 0, 

{: + },P0,s {r}.P0.s 17] 

emito — > 0, emito — > 0, Ov {,-+},po> Ov {(-ipol- 
Consider program PI quoted below. 

PI pres s ? emit s end 

It has two supported models, namely {PI "[^■ Pl s ! Pl^V 0, emit s ^®> pl > s t emit s^—£ 0, 0/ 0,pi} 

and { emit s — V 0, emit s Y >,p ^' s , 0/ 0,pi}. Hence, PI is not meaningful according to Semantics^ 
Consider program P2 recalled below. 

P2 pres s ? o emi t s end 

Program P2 does not have any supported model: Assume, towards a contradiction, that P2 ^ P2 s 
is in the purported supported model ofT. It then follows from item 1 in Definition^that there exists a 
deduction rule whose conclusion can match P2 ^' P2 ' s and whose premises are consistent with T. The 
only candidates are (fO) and (fl); we analyze both cases below and show that they both lead to a 
contradiction. 

(fO) The premises of the instance of (Si) are P2 and Of 0,p2 ' s . It follows from item 1 of Definition 

[5] that both predicates should be in T and hence, item I again applies to both predicates and in 
particular to ^ P2 j . Hence, there should exist a deduction rule whose conclusions matches with 
the above predicate. A simple syntactic check on the deduction rules of Figures ^and^reveals 
that none of the conclusions can be unified with the above predicate and hence a contradiction 
follows. 

(fl) The premises of the instance of (fO) are ->P2 ^ 0p2i and emit s -f > P2 > 4 , both of which should be in 
T. Again item 1 of Definition [5] applies and thus, ->P2 ^ ' P2 >' S should be consistent with T, or in 
other words, P2 -J^ ^ 2 ' 1 ^ T, which contradicts our initial assumption. 

The next program to consider is P3, quoted below. 

P3 pres s ? emit s o emit s end 

Program P3 is indeed meaningful and has the following unique supported model. 
{ p 3 f,P3, s> p^fo, emitsf> P3 >\ emits^-O. (V „./.,}. 

Note that P3 ^ > P3 >- V ( and/or the transition ofP3 ) cannot be removed from the supported model; to see 
this, it follows from item 2 of Definition^and deduction rule (eO) that emit s 

|0,P3,.v G T and following 

the same reasoning and deduction rule (fl), we have that P3 ^ P3 i g T. 

Program P4 is considered logically coherent but not constructive by the language designers. Next, 
we show that this intuition is indeed supported by our formal definitions. 



'For each program, we choose l, CO and A, respectively, to comprise only the input, output and local variables mentioned in 
the program at hand. This allows us to focus only on the possibly relevant part of / when considering supported models. 



42 



Causality in the Semantics of Esterel 



P4 pres So ? emit Sq o end / / 

pres so ? pres Si ? o emi t Si end o end 

Program P4 has a unique supported model, given below. 

{emits Q f- PXs °, emit s ^ 0, emit Sl f' P3 ' s \ emit s^^H 1 0, 0/ ,p 3 }. 

Note that neither emission of so, nor s\ cannot be present in a supported model. First, concerning s\, 
suppose that s i can be emitted, then it follows from item 1 of Definition^that there should be a deduction 
rule supporting this emission. This can only be due to (pi) and thus, the right-hand-side component of 
the parallel composition. This component, in turn can only emit s\ (due to deduction rules (fO) and then 
(fl)) if sq is present and S\ is absent under the same context. The latter contradicts our assumption. 
Similarly, suppose that the supported model contains a predicate (or transition) to the effect that so can 
be emitted. We already know that no predicate for emitting s\ can be in the supported model. Hence, 
it follows from successive application of item 2 of Definition^using deduction rules (fO), (fl) and (eO) 
that si can be emitted under the same context, which is already shown to lead to contradiction. 

P5 pres so ? emit Si o end ; emit so 

Program P5 is also meaningful and has a unique supported model, given below. 

{P5 f^ s °, P5 f' P5 ' Sl , P5 ^>° 0, P5^' 0, 

pres So ? emit S[ o end J [®' P5 ' Sl , pres Sq ? emit sj o end^'-^* 1 0, 

emit s t ' P5 " So , emit so^ 0, emit si T ' P5 " Vl , emit Sl ^ 0, O/ 0|i > 5 }. 

Note that none of the predicates or transitions concerning the emission of sq and si can be omitted 
from the supported model. If the predicate (transition) concerning the emission of sq is omitted then the 
first component of sequential composition terminates and hence sq should be emitted due to the second 
component. Since sq should always be emitted, the emission of s\ is guaranteed by the first component 
of sequential composition. 

Definition 13 (Constructive Semantics of Esterel) An Esterel program p is constructive if for each sig- 
nal s and each input evaluation I either p y>P> s and p ^4 p' (for some p') or —<p y>P> s and p 1 ^ has a 
supported proof and moreover, either p/ j iP or ->p/ j p has a supported proof. 

To illustrate this semantics and identify its differences with the logical semantics, we reconsider those 
programs whom are considered non-constructive but logically coherent in Section|2] 

Example 14 Consider program P3. This program is both intuitively and formally shown to be logi- 
cally coherent. Moreover, in Section [2] we introduced this program as a canonical example of a non- 
constructive program. Next, we show that it is also formally non-constructive since neither P3 ^ P3 i 

nor -IP3 ^ P3 " S have a supported proof (a similar reasoning shows that neither P3 ^^ p' for any p' 

nor P3 0, -S" ? have a supported proof). Suppose P3 ^ P3 - v has a supported proof, then its proof is either 
due to (fO) or (fl). In the former case, the nodes placed above our proof obligation are P3 f 7 ^ 3 ' 4 and 
emit s ^ ' P3 ' f . While the latter has a supported proof (due to (eO)j, the former was our original proof 
obligation, thus, it only remains to check the alternative option due to (fl). The premises of (fl) are 
then ~^P3 f' P3 > s and emit s ^ >"' s . Again the latter formula has a supported proof but the former is the 
negation of our proof obligation and thanks to Theorem^ we know that if—<P3 ^ /P3 " S has a supported 
proof then P3 \ I,P ^ ,S cannot have a supported proof. Similarly, if~>P3 '[ I,P3 ,s has a supported proof, then 
a negation of a premise of all deduction rules that can match P3 ' s must have a supported proof. 
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These two rules are again (fO) and (H). The negation of the common premise of these two rules, i.e., 
emit s -J~ 0P3 - v cannot have a supported proof (following Theorem^ because the premise itself has a sup- 
ported proof). Hence a negation of both P3 ^ / P3 ' 4 and —>P3 ^ ' ' s should have supported proofs, which 



Program P4 is not constructive since neither PA -f ^ 4 ^ nor [f S negation have a supported proof. 
The only possible proof for the emission predicate can be due to (pO) or (pi). The case for (pi) does 
not lead to a supported proof since the right-hand-side does not contain any emit statement for sq. If 
the supported proof is due to (pO), then it should hold that PA ^ = p4 > 10 which was to be proven. The 
negation of the predicate, i.e., PA ^ P4 i o does not have a supported proof, either. Since then a negation 
of a premise qf(pO) and (pi) should have a supported proof. The negation of the only premise qf(pO) is 
pres so ? emit SqO end ^ ' P4 >- V o ) which in turn means that a negation of a premise of (fO) or (fl) must 
have a supported proof. Consider (fO), its two premises are PA 'V 4 ^ fo ut we were seeking a proof of 
its negation and emit so j ^®> p4 > s o > whose negation cannot be proven. 

Program P5 is not constructive, either. We next show that neither P5 ^ P510 nor its negation are 
provable. The purported supported proof for predicate P5 ^' P5 ' s ° is due to one of the rules (sO) to (s2). 
Next, we analyze each case and show that it leads to a contradiction. 

(sO) Then, it should hold that pres So ? emit S\ o endf ' This, in turn, can be either due to 
(fO) or (H). If the predicate is due to (fO), then we should have a supported proof for P5 ^ ' P5 ' s o, 
which was to be proven. If the proof is due to (H), then -<P5 ^®> P5 > s o should have a supported proof, 
which is impossible due to Theorem^ 

(si) Then, it should hold that pres So ? emit Si o end/ 0^5. This termination can be due to ei- 
ther (if4) or (if5). None of these two are possible since otherwise, respectively, P5 -f ' P5 " So or 
-<P5 f 0, - P5 " v ° should have a supported proof. 

(s2) Then, it should hold that pres So ? emit Si o end/ 0^5/// for some s' and p'. This transition 
is due to either (ifO) or (ifl). Again, both cases lead to a contradiction due to a similar reasoning 
as in item (sO). 

As a side note, the common intuition and the similarities between deduction rules of Figures [2] and [3] 
may suggest that we can replace deduction rules of Figure [2] with the following rule (or even do without 
the emission predicates and make the same changes in the deduction rule for if-then-else statements in 
Figure [3]): 



This change leads to a much more restrictive semantics, which is unable to provide supported proofs 
for transitions of perfectly acceptable programs such as the following: 

P6 pres s ? emit o o end | | emit s 

To see this, the reader may try to prove that P6 can emit signal o using deduction rule (parO). The 
proof of the premise of (parO) then should rely on (ifO) and hence due to deduction rule (emit) , we need 
to prove that s can be emitted (for the if-then-else to be able to take a transition). In turn, this can only 
be due to (pari). But to apply (pari), we need to know that the left-hand-side component can take a 
transition (in order to record its target), which is what we wanted to prove initially. This cycle is broken 
in our semantics, by deduction rule (pi) which only considers one of the two components to infer the 



is again impossible due to Theorem^ 




(emit) 
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emission of sq (without trying to record the target of the transition). The following proof illustrates why 
this program is indeed constructive. 



emit s f p6 s 

"'I emit o - — > 

pres s ? emit o o end - — > emit s — > 

P6 A°O | | 



5 Conclusions and Future Work 



In this paper, we presented a link between the intuitive notions of logical coherency and constructiveness 
in the semantics of Esterel on the one hand, and the formal notions of supported models and supported 
proofs in the semantics of Structured Operational Semantics, on the other hand. By means of several 
canonical examples from the literature, we showed that our formal definitions indeed capture the intuitive 
criteria put forward by the language designers. 

Several formalizations of these two intuitive criteria exist in the literature. For example MBer99l 
PBEB07] present three formalizations of constructive semantics of Esterel. In MTinOOl ITinOl I another 
formalization of constructive semantics of Esterel is presented and is proven to coincide with one of the 
notions in [Ber99]. A rigorous comparison between all these notions and the ones presented in this paper 
remains as a topic for future research. 

In the semantics presented in this paper, we abstracted from the issues of exceptions (traps), loops 
and time. We expect that one can include these aspects without any substantial change in the semantics 
presented in this paper using the modular semantics approach of [Mos04 ( MN08]. This remains as 
another interesting exercise for the future. 
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